Home Data-Driven Thinking Is PII Still The Third Rail Of Privacy For Ad Tech?

Is PII Still The Third Rail Of Privacy For Ad Tech?

SHARE:

alanchapellData-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Alan Chapell, president at Chapell & Associates.

The rules around the merger of personally identifiable information (PII) with ad-serving data are perhaps the most oft-referenced privacy rules in ad tech. Over the past 15 years, if you asked any ad tech CEO about privacy, the first words out of his or her mouth would have been: “We don’t collect PII.”

Even where senior execs didn’t know much about digital privacy, the one thing all of them did know is that PII was the third rail of digital privacy. As a result, the mere appearance of touching PII has been a non-starter in ad tech for as long as anyone can remember.

The core privacy rules were created 15 years ago when the marketplace looked very different. I believe it’s time to revisit some of those rules – and for ad tech companies to reconsider leveraging PII.

The Initial Visceral Reaction to PII merger Vs. Marketplace Growth

When DoubleClick bought Abacus Direct back in 1999, many worried it would combine Abacus’ personal information with DoubleClick’s online browsing data. Many things drove the reaction to the privacy scandal – not the least of which was an emotional response. Advocates lamented that DoubleClick/Abacus was creating a “surveillance database of Orwellian proportions,” and a constant stream of criticism rained down on DoubleClick for months. Collectively, advocates, regulators and the press drew a line in the sand indicating that ad networks must be kept as far away from the personally identifiable as possible.

Yet during the past 15 years, companies in the digital media marketplace continued to inch closer to PII. This begs the question: Has time softened the perspective of advocates and regulators? One thing is clear: Marketplace growth has clearly outpaced anything DoubleClick may have been contemplating.

Consider this: In March of 1999, DoubleClick’s US network boasted more than 120 of the web’s most recognized sites, and DoubleClick as a whole delivered a “whopping” 30 billion ads every month.

By today’s standards, the scope and scale of information collected by DoubleClick during the Abacus acquisition seems almost quaint; I’m certainly not the first person to make this observation. Heck, even Merkle’s new deal with News Corp. will impact more consumers and serve more ads than DoubleClick/Abacus ever did.

But this goes far beyond Merkle’s people-based marketing program or Experian’s OmniView multichannel ID or Facebook’s merger of PII with the behavioral data it collects from 90% of the Internet or Google’s new program enabling marketers to buy on YouTube with email addresses. Across the spectrum, the Chinese wall separating PII and non-PII in digital media has narrowed during the past decade to the point where we can practically see through it.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

In light of all this, why is the ad tech community clinging to these rules? Is there either a business or privacy advantage to maintaining the current pseudonymous data approach? (Some background is available here.)

Moving To An IOT-Enabled World 

The Internet of Things (IoT) will exponentially increase the amount of digital data collected through watches, fitness devices, thermostats, automobiles, major appliances and dozens of other things that we haven’t even thought of yet. Marketers will need to be able to structure all of this data if they want to draw user-centric insights. As of today, there are really only two viable paths to structure IoT data.

Marketers could take a platform approach using pseudonymous identifiers. This is the approach currently utilized widely in mobile advertising and relies on a pseudonymous ID provided by the mobile operating systems. In an IoT-enabled world, an identifier could be provided by an OS, wireless carrier, browser and a social networking platform.

Marketers could also take a PII approach, which is practiced by many retailers that use customers’ email address or telephone number to tie all of this information together.

The platform approach works relatively well where the advertiser wants to understand what a particular piece of media cost, how many impressions it generated and what the audience looks like. But most platforms don’t allow third-party verification of their numbers or enable advertisers to understand the impact of cross-platform advertising. Answering simple questions such as, “How do users respond when they’ve seen my ad twice on Facebook and twice more on YouTube?” is nearly impossible with a platform approach.

As the number of customer touch points increases exponentially in an IOT-enabled world, advertisers are incented to move away from the platform approach, which they don’t control, to a PII approach, which they can control.

The Privacy Argument

I’m sure the mere mention of merging PII with digital data bits will give many privacy professionals fits. Nonetheless, the current regulatory climates in the EU and US aren’t currently focused on reigning in PII merger practices.

The European Union arguably has the world’s strictest privacy rules. Over the past several years, EU policymakers have grown increasingly reticent to draw distinctions between personal data and pseudonymous data. There are many different things at play in the EU as we head into 2016, and the EU’s knee-jerk response to every privacy problem boils down to one word: consent.

Ultimately, if EU policymakers continue down the path of requiring consent for the collection and use of a cookie ID, they are essentially signaling to the marketplace that it should obtain consent as broadly as possible. By requiring an expansive consent, you create incentives to collect as much data as possible.

In the US, it’s worth noting that in the 15 years since the DoubleClick Abacus scandal the Federal Trade Commission (FTC) has publicly said little about merger of PII with ad-serving data. If anything, the FTC has seemingly shifted its focus away from the merger of PII with online profiling information. In 2010, it acknowledged that the “distinction between PII and non-PII continues to lose significance.” And there’s no mention of PII merger concerns in the recent FTC IoT staff report (PDF).

More Questions Than Answers

 Facebook and Twitter have used email as a targeting ID both on and off their respective platforms for some time now, with nary a peep from the FTC.

If those entities are tacitly allowed to do that, is it a big deal for Merkle to use PII to target ads within the four corners of News Corp. sites? What are the distinctions we’re drawing as we head into 2016? Are larger entities really “more privacy protective because it’s all within one company” or are there other considerations?

In other words, what is the current rationale for the distinctions that are being drawn today?

To be clear, I’m not advocating any policy in particular. I’m simply noting that the industry came together and created a set of rules in 2000. And since that time, the industry has changed drastically – heck the whole world has changed. Given all this transition, it’s worth asking whether some of these old rules still make sense.

Follow Alan Chapell (@chapell68) and AdExchanger (@adexchanger) on Twitter.

Must Read

Intent IQ Has Patents For Ad Tech’s Most Basic Functions – And It’s Not Afraid To Use Them

An unusual dilemma has programmatic vendors and ad tech platforms worried about a flurry of potential patent infringement suits.

TikTok Video For Open Web Publishers? Outbrain Built It.

Outbrain is trying to shed its chumbox rep by bringing social media-style vertical video to mobile publishers on the open web.

Billups Launches Attention Measurement For Out-Of-Home

Billups, a managed services agency that specializes in OOH, is making its attention measurement solution and a related analytics dashboard available for general use.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
US District Court for the Eastern District of Virginia, Alexandria

The Google Ad Tech Antitrust Case Is Over – And Here’s What’s Happening Next

Just three weeks after it began, the Google ad tech antitrust trial in Virginia is over. The court will now take a nearly two-month break before reconvening for closing arguments right before Thanksgiving.

Jounce Media's Chris Kane at Programmatic IO NY on Sept. 25, 2024.

The Bidstream Is A Duplicative, Chaotic Mess – But It Doesn’t Have To Be That Way

Publishers are initiating more and more auctions – but doesn’t mean DSPs are listening to more bids, according to Chris Kane.

Readers Are Flocking To Political News, Says WaPo – And Advertisers Are Missing Out

During certain periods this year, advertisers blocked more than 40% of The Washington Post’s inventory over brand safety concerns.